My expectations are that whenever I run
My search:
| fields <>
| lookup virustotal_url_cache vt_urls AS url OUTPUT vt_positives, vt_classification, vt_threat_id
| virustotal url=url rescan=false
| table <>
Whatever isn't cached it will hit the API, if it has been searched, it will return the results, and cache it in the KVStore.
This hasn't been happening. Also, nothing has been cached to begin with. I ran a test on 8.8.8.8 and nothing returns.
I am running Splunk Cloud.